A new WORM_NUWAR.CQ variant (filename: postcard.exe, 50,648 bytes) is spreading since yesterday night. This worm is detected since CPR 4.250.01. Once again, faked bills with the subject “KD Webshop Bestellung ” are seeded. Attached is the file “rechnung.exe” (file size: 8.522 bytes), which is detected by IntelliTrap as PAK_Generic.001. Detection will be available in the upcoming CPR as TROJ_YABE.BK. Faked “1&1″ bills are seeded, too. Attachment name is “rechnung.zip.exe” (file size: 7.016 bytes), which will be detected as TROJ_YABE.BL. As usual, don’t click on .exe files, and, if possible block .exe files in general on your email server or gateway.
Author Archive - Rainer Link (Senior Threat Researcher)
Since 31/01 late afternoon, faked eMails appearing to be from the BKA (Germany’s Federal Criminal Police Office) are being spammed within Germany. The subject of such eMails are “Ermittlungsverfahren Nr. [number]“, where [number] is a random number. The email attachment is an EXE-file (e.g. 2981956.exe), which is detected as TROJ_DLOADER.KHZ. This trojan downloads another malware, which is detected as TSPY_BZUB.GK. If you receive such an email, just delete it. As a general advise for a corporate environment please block all .exe or .com files, if possible. The BKA issued a PR on this issue. If you assume your computer is already infected, you’re welcome to use our free online-scanner HouseCall.
http://www.geocities.com/myphotos30021. It spoofs the Yahoo!Photos site.
Below is a snapshot of the site. Just click the picture for a fuller view.
The site has already been submitted to Web Blocking Team.
There are reports of a zero-day exploit code out in the wild for client side RealPlayer and Helix Player. A format string vulnerability found in the said media players can be exploited to execute malicious codes in the affected system. A specially crafted media, which include the .RP (realpix) and the .RT (realtext) file formats, can trigger the vulnerability.
It is also quoted in the exploit code that RealPlayer was informed about the vulnerability. However, the exploit code was released to the public before RealPlayer came up with a patch for the problem. The author of the exploit apologized for the untimely release of the code as quoted below.
“Real have been duely informed about this issue and are fixing. Sadly though, it seems someone is trying to pinch my research, as such I have been forced to release this advisory sooner than hoped. Until Real get a new release out, do not play untrusted media with RealPlayer or HelixPlayer. Sorry Real.com!
Moral of the story, don’t talk about personal research on IRC. Thank you plagiarizers”
Enter the EULAlyzer… It’s not really your super-savvy tool that can determine that the package that you are installing is totally hogwash, but it is quite useful for us who are allergic to reading gazillions of pages of EULAs. It’s also dons a very user-friendly interface.
Here’s a walkthrough in EULAlyzing Grokster:
I get to the Grokster License agreement… And my allergies start showing
I open the EULAlyzer and drag the crosshair to the text area of Grokster’s EULA.. and it’s ready to be EULAlyzed!
Then, I click the analyze button and some strings get flagged…
Then, I expand the “+” on the left side of the flagged text and check out the sneaky things
And somehow I’m not so happy anymore… Oh well, I still need to read the EULA to verify the context of the statements flagged by the EULAlyzer, but hey, at least I already got a glimpse of those sneaky things and I have an idea of what I’m putting into my PC. And I can even save the sneaky EULA for future purposes.
Note: The EULAlyzer is a product of Javacool Software LLC. You can read more about this and download it fromtheir site.
Thanks to Mr. Daves Espia for the Heads up.